Automated Semantics-Based Malware Detection through Static Analysis

(CSE Colloquium Lecture Series)

Automated Semantics-Based Malware Detection through Static Analysis

Speaker: Yu Feng, Ph.D. Student, Computer Science, University of Texas at Austin

Date: Friday, February 24, 2017
Time: 2:00pm
Location: Room 4140, CSE Building

Abstract:  In response to the rapid dissemination of Android malware, there is a real need for tools that can automatically detect malicious applications that steal private user information. Two prevalent approaches for detecting such Android malware are taint analyzers and learning-based detectors. However, taint analyses cannot automatically distinguish benign apps from malware, and learning-based techniques require a large number of samples and produce results that are hard to interpret. At the end, a security auditor still needs to invest significant effort to verify suspicious behavior. In this talk, I will discuss how to automatically perform semantics-based malware detection through static analysis.

In the first project, I will present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high level language for specifying signatures that describe semantic characteristics of malware families and (ii) a static analysis for deciding if a given application matches a malware signature. The signature matching algorithm of Apposcopy uses a combination of static taint analysis and a new form of program representation called Inter-Component Call Graph to efficiently detect Android applications that have certain control- and data-flow properties.

To reduce the manual effort of writing malware signatures in Apposcopy, the second project proposes a technique for automatically synthesizing malware signatures from very few samples of a malware family. The key idea underlying our technique is to look for a maximally suspicious common subgraph (MSCS) that is shared between all known instances of a malware family. An MSCS describes the shared functionality between multiple Android applications in terms of inter-component call relations and their semantic metadata (e.g., data-flow properties).

Bio:  Yu Feng is a fourth-year Ph.D. student at UT Austin advised by Isil Dillig. Yu is broadly interested in software verification, static analysis and program synthesis. He is especially interested in applying PL techniques to tackle security problems in smartphone.

Faculty host: CSE Prof. Deian Stefan